The Three Laws of Cyber and Information Security

It is more than 70 years since Asimov’s three laws of robotics were codified(1), becoming the basis for much classic science fiction. They have crossed the boundary from fiction to fact, and are still relevant today(2).

The three laws recognize the importance of tracing the maturity of the environment in which a system is created, used, and ultimately decommissioned. We will show how the first law defines the capabilities for ‘asset protection’, the second law as defining the capabilities for ‘operation’, and the third law defining the capabilities for ‘self-preservation’.

These correspond to the three attributes of security: confidentiality, integrity, and availability.

The Standards Coordination Group of the Trusted Software Initiative(3) has recognized that ‘cyber security’ is without a generally accepted definition; different standards makers use different definitions.

It is our observation that cyber and information security are two different things. And this is why it is perhaps not surprising that those who appreciate the history (Williams, 2013) are unhappy with the term ‘cyber’ being appended to all things touching on information technology in general and the Internet in particular.

Where we are interested in the behaviour of the system and the necessary monitoring and protective or corrective feedback, then it is cyber and it is permissible to borrow the term (from Weiner, 1948).

So when the SCADA(5) engineers talk about cyber security, they really mean it!

Harm to assets, by our definition, equates to:

Proportional harm to a human being or collective of human beings (which may be, for example, a nation state, a community, or a business),

Either actual harm (for example resulting in physical injury in the case of a security breach of medical device or an airplane control system),

Or implied harm (for example, financial loss through a credit card data breach or identity theft through the fabrication of credentials, or IP theft which would harm a corporation(6)).

A system comprises information assets and the processes, people and technologies necessary to exploit those assets within an environment which is likely to affect the context of the system’s use or misuse. A system is itself an asset.

And the first law demands the primary cybernetic (see full paper) capabilities for ‘asset protection’.

The second law expects the system that must be secured to have the capabilities for ‘operation’ (secondary cybernetics).

The third law expects that a system’s tertiary cybernetics to have the capabilities for ‘self-preservation’.

These correspond to the three attributes of security: confidentiality, integrity, and availability (BS ISO/IEC 27002:2005)

As a practical example, we view ‘the information technology components of the system, we may apply the three laws to three diverse manifestations:

an on-line ‘shop’,

a customer database,

and malicious software (malware)

The three laws govern how feedback from a dynamic approach to risk management is applied to regulate the confidentiality, integrity, and availability of the information assets.